WebAPI : 403 Forbidden after publish website

Question

Alright, I'm having a tough time locating the problem since it works locally but after doing a publish the results are simply:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

The code:

[RoutePrefix("api/v1/project")]
public class ProjectController : BaseApiController
{
    [HttpGet]
    public HttpResponseMessage GetProjects()
    {
        HttpResponseMessage resp = new HttpResponseMessage(HttpStatusCode.OK);
        if(User.Identity.IsAuthenticated)
        {
            var model = new ModelFactory().CreateProjects();
            resp = Request.CreateResponse(HttpStatusCode.OK, model);
        }
        return resp;
    }
}

---

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // all actions under /project routes require authentication
        config.Routes.MapHttpRoute(
            name: "ProjectApi",
            routeTemplate: "api/v1/{controller}/{action}/{apikey}",
            defaults: new { apikey = RouteParameter.Optional },
            constraints: new { controller = "project" },
            handler: new BasicAuthHandler(config));

        // all routes requires an api key
        config.MessageHandlers.Add(new ApiKeyHandler());
        config.MapHttpAttributeRoutes();
    }
}

---

I've tried several "solutions" from the net yet none of them seems to fix this. I've added the:

// Stop IIS/Asp.Net breaking our routes
RouteTable.Routes.RouteExistingFiles = true;

from: http://www.grumpydev.com/2013/09/17/403-14-error-when-trying-to-access-a-webapi-route/

And also made sure that:

<modules runAllManagedModulesForAllRequests="true">

---

Having the code above, using the following link gives a successful connection where it checks (in the correct order) the APIkey (ApiKeyHandler), checks if the user needs to log in(BasicAuthHandler) and then goes to method in the controller ({controller}/{action}).

// THIS WORKS!
http://localhost:51077/api/v1/project/getprojects?apikey=123456

then we do a publish and tries the same thing

// This is haunted with number 403
http://website.com/api/v1/project/getprojects?apikey=123456

gives the Error Code: 403 Forbidden.

I am clueless. I've even tried changing the whole publish folder's security settings for "NETWORK SERVICE" to full access.. no change.

Let me know if you need any more intel.

Answer 1

Called the web server machine fellas and they had a firewall blocking incoming webapi calls with authenticating. It now works as it should :)